Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-40496 | UNKNOWN | — | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: … | Apr 21, 2026 |
| CVE-2026-40250 | UNKNOWN | — | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through … | Apr 21, 2026 |
| CVE-2026-40244 | UNKNOWN | — | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.4.0 through … | Apr 21, 2026 |
| CVE-2026-39973 | HIGH | 7.1 | Apktool is a tool for reverse engineering Android APK files. In versions 3.0.0 and 3.0.1, a path traversal vulnerability in `brut/androlib/res/decoder/ResFileDecoder.java` allows a maliciously crafted … | Apr 21, 2026 |
| CVE-2026-39886 | MEDIUM | 5.3 | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Versions 3.4.0 through 3.4.9 … | Apr 21, 2026 |
| CVE-2026-39866 | UNKNOWN | — | Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in release_update.yml workflow dispatch input allows arbitrary code execution. Commit … | Apr 21, 2026 |
| CVE-2026-40264 | UNKNOWN | — | OpenBao is an open source identity-based secrets management system. OpenBao's namespaces provide multi-tenant separation. Prior to version 2.5.3, a tenant who leaks token accessors can … | Apr 21, 2026 |
| CVE-2026-39946 | UNKNOWN | — | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, when OpenBao revoked privileges on a role in the PostgreSQL database secrets … | Apr 21, 2026 |
| CVE-2026-39861 | UNKNOWN | — | Claude Code is an agentic coding tool. Prior to version 2.1.64, Claude Code's sandbox did not prevent sandboxed processes from creating symlinks pointing to locations … | Apr 21, 2026 |
| CVE-2026-39396 | LOW | 3.1 | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, `ExtractPluginFromImage()` in OpenBao's OCI plugin downloader extracts a plugin binary from a … | Apr 21, 2026 |
| CVE-2026-39388 | UNKNOWN | — | OpenBao is an open source identity-based secrets management system. Prior to version 2.5.3, OpenBao's Certificate authentication method, when a token renewal is requested and `disable_binding=true` … | Apr 21, 2026 |
| CVE-2026-39386 | HIGH | 8.8 | Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated … | Apr 21, 2026 |
| CVE-2026-39378 | MEDIUM | 6.5 | The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when `HTMLExporter.embed_images=True`, nbconvert's markdown renderer … | Apr 21, 2026 |
| CVE-2026-39377 | MEDIUM | 6.5 | The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations … | Apr 21, 2026 |
| CVE-2026-39320 | HIGH | 7.5 | Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.25.0 are vulnerable to an unauthenticated … | Apr 21, 2026 |
| CVE-2026-41331 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers can exploit … | Apr 21, 2026 |
| CVE-2026-41330 | MEDIUM | 4.4 | OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. … | Apr 21, 2026 |
| CVE-2026-41329 | CRITICAL | 9.9 | OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper … | Apr 21, 2026 |
| CVE-2026-41303 | HIGH | 8.8 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord … | Apr 21, 2026 |
| CVE-2026-41302 | HIGH | 7.6 | OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attackers … | Apr 21, 2026 |
| CVE-2026-41301 | MEDIUM | 5.3 | OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before … | Apr 21, 2026 |
| CVE-2026-41300 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoints by having … | Apr 21, 2026 |
| CVE-2026-41299 | HIGH | 7.1 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket … | Apr 21, 2026 |
| CVE-2026-41298 | MEDIUM | 5.4 | OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by … | Apr 21, 2026 |
| CVE-2026-41297 | HIGH | 7.6 | OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated … | Apr 21, 2026 |